ClawHub

Clawsoul Skill New

Security checks across malware telemetry and agentic risk

Overview

This personality skill is mostly coherent, but it needs Review because it can persistently profile chats, alter the assistant persona, and use LLM/network paths despite local-only privacy claims.

Install only if you are comfortable with persistent local personality profiling and behavior-changing prompts. Before enabling it, keep LLM provider settings local or disabled if privacy matters, avoid pasting untrusted Pro tokens, and ask the publisher for clear controls to inspect, delete, and confirm stored profile changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documentation claims a limited permission model, but the analyzed capabilities indicate access to environment variables, file I/O, and network operations that are not clearly declared to users. This creates a trust and review gap: users may install the skill expecting local-only preference learning while the implementation can read/write local data and contact external services, increasing the risk of secret exposure, unauthorized persistence, or data exfiltration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose centers on personality shaping and local learning, but the behavior includes emotion detection for Pro upsell, external HTTP access to LLM services, and generation of promotional/QR-based artifacts. This mismatch is security-relevant because users and reviewers cannot accurately assess privacy, data flow, or manipulation risks when sensitive chat content may be profiled and sent to outside services under a seemingly benign description.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest presents the skill as a local MBTI/personality initializer, yet it also exposes remote hook and injection behavior through trigger commands and an external endpoint. Combined with sensitive permissions like read_chat_history, modify_system_prompt, and local_storage, this creates a materially broader trust boundary than the description suggests and could enable covert prompt manipulation or exfiltration via a remote service.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
A hardcoded external hook URL is not justified by the stated MBTI-based local personality function, making the network path suspicious in context. Because the skill can read chat history and modify the system prompt, the remote hook could be used to transmit sensitive context off-platform or fetch instructions that alter agent behavior beyond user expectations.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The awaken flow persists the derived MBTI state to memory via `mm.complete_awaken(mbti)` without any consent, disclosure, or indication of retention policy in this file. Because the skill frames this as an 'awakening/observation' feature, silently turning it into persistent profile state creates a privacy and transparency issue and can surprise users or downstream components that rely on this memory.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module implements a direct persona/state overwrite path via token-driven injection into persistent memory, which goes beyond passive observation or local evolution. In an agent context, altering core behavioral memory can materially change future outputs, alignment, and trust boundaries, especially because the code presents the overwrite as successful protocol replacement.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
parse_token accepts arbitrary Base64 or raw JSON and returns any dictionary payload, or even wraps unparseable input as a token object, enabling largely unconstrained downstream injection. Because that payload is passed into mm.inject_soul without visible validation, an attacker or untrusted caller could persistently implant directives, alter agent behavior, or store malicious control data.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The hook reads persistent local state from a workspace file, including sensitive fields such as a token, even though poster generation is triggered by ordinary chat content and not by an explicit user consent flow for filesystem access. In this skill context, that makes the behavior more dangerous because a seemingly harmless personality/poster feature can quietly inspect local persisted data and use it to influence output.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This status module exposes a behavioral toggle for a frustration-driven Pro upsell mechanism that is unrelated to simply viewing status. Mixing a read-only/status surface with monetization or persuasion controls increases the chance of hidden or unexpected behavior, weakens user trust, and can enable social-engineering-style prompting when a user is vulnerable or frustrated.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The file advertises itself as a status viewer, but it also contains logic to enable or disable 'pain-point guidance' that prompts for a Pro version. This discrepancy is dangerous because it conceals state-changing, commercially persuasive behavior behind an innocuous interface, making auditing harder and increasing the risk of deceptive UX.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The module’s stated behavior is to monitor user frustration and trigger a Pro upsell, which is materially different from the advertised personality/self-evolution purpose. This kind of hidden behavior undermines informed user consent and can enable manipulative data use or dark-pattern monetization in a context where users would not reasonably expect it.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code deliberately detects negative sentiment and uses that state to display conversion-oriented messages promoting a Pro version. Exploiting moments of frustration for upsell is a manipulative interaction pattern, especially when the feature is not justified by the skill’s stated function or clearly disclosed to the user.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The disable-command logic contradicts its own documentation: matching any substring in patterns like '不要关闭提醒' causes the hook to be disabled, even though that phrase literally expresses the opposite intent. This can invert user preference handling, causing persistent behavioral changes without valid consent and making the opt-out control unreliable.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The availability check claims it does not perform a full inference, but for non-ollama providers it actually sends a real MBTI prompt to a remote model. This creates undisclosed network activity, cost, and data-flow behavior that callers may not expect from a lightweight health check.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The module advertises itself as a local LLM client, but the configuration supports cloud endpoints and later code transmits prompts to them. This mismatch can mislead integrators and users into believing conversations stay local when they may be sent off-device.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code loads API keys for external providers and is designed to send prompts to those services, which exceeds a 'local learning/local observation' expectation. In a profiling feature, this can result in sensitive conversation data being exported to third parties without clear consent boundaries.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that every user message may be processed for persistent local learning and stored as preferences, learnings, and adaptation data, but it does not clearly warn users about collection scope, retention, or how/when data is deleted. In a skill with read_chat_history and local_storage capabilities, this can create privacy and consent risks because users may not realize routine conversation is being durably profiled.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documented '/clawsoul inject <token>' feature allows external token data to overwrite MBTI and preference state, but the README does not clearly warn that existing local personality and learned data may be replaced. This can lead to silent loss or manipulation of stored state, especially if users paste untrusted tokens or do not understand the overwrite behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill says it reads chat history and locally learns user preferences, but it does not clearly present this as ongoing behavioral profiling or explain retention and scope. Even if storage is local, silent accumulation of preference data can capture sensitive traits over time and materially changes the privacy risk of ordinary conversation.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
Token-based personality injection is described as able to overwrite or deeply replace stored personality and preference state, but the user is not clearly warned about the extent of that change. This is dangerous because an injected token could irreversibly alter behavior, suppress prior safeguards or preferences, and create a social-engineering path for untrusted personality payloads.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code writes personality state to memory without any user-facing warning in the same flow, even though the returned message only describes learning and evolution in broad terms after the write occurs. Silent profile persistence can undermine informed consent and create privacy risk if other components later use that stored trait data for recommendations or behavior shaping.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code performs a persistent state-changing call to inject_soul immediately after token parsing, with no explicit confirmation step, preview of changes, or warning about long-term behavioral impact. In a system that can modify persona or memory, silent persistence increases the risk of accidental, coerced, or deceptive reconfiguration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code loads a persistent state file that contains a token without any user-facing notice, and later includes that token in generated output text for Pro users. This creates a real secret-handling issue: a token stored locally can be exposed through normal feature use, error paths, logs, screenshots, or downstream components consuming the poster/message output.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends the full conversation history to an external LLM analyzer via client.analyze_conversation(conversation) without any notice, consent, minimization, or redaction in this file. Because conversation histories often contain sensitive personal data, this creates a real privacy and data-handling risk, especially given the skill’s stated goal of profiling user preferences and MBTI traits over time.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists inferred user preferences and adaptation signals derived from every message via the memory manager, but there is no evidence in this file of notice, consent, minimization, or controls around retention. This creates a privacy vulnerability because behavioral profiling is stored across sessions and could expose sensitive traits or communication habits if the memory store is later accessed, leaked, or reused unexpectedly.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal